This tutorial is about the steps to take to install Salt Master on Ubuntu performed by Server Administrators.
This task can be done either using Ubuntu SaltStack PPA or using Salt-Bootstrap.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Software Installation tasks.
In this context, you shall learn the processes to install Salt Master on Ubuntu.
Installing and configuring Salt Master on Ubuntu involves a series of steps as listed below:
i. Install the Master Daemon
ii. Initial Master Configuration
iii. Install a Separate Minion
iv. Configure the Minion
Now, we will look into these processes briefly below.
The Salt master daemon can be installed in Ubuntu either using Ubuntu SaltStack PPA or using Salt-Bootstrap.
Installation using Ubuntu SaltStack PPA is the easiest method as it uses the Ubuntu native package management tools to install and update the required software. However, the packages can be significantly out-of-date.
Installation using Salt-Bootstrap attempts to use the native software tools available. However, it also provides easy access to the development versions of Salt.
First, we will need to add the SaltStack PPA to the server that we plan to use as the master:
saltmaster$ sudo add-apt-repository ppa:saltstack/salt
Like in all major software installations, we will need to update the local packages initially. Afterward, we can install the relevant software:
saltmaster$ sudo apt-get update
saltmaster$ sudo apt-get install salt-master salt-minion salt-ssh salt-cloud salt-doc
In the above command, we installed both the Salt master and minion daemons. This will allow us to control our master server with Salt as well.
We also installed salt-ssh and salt-cloud, which give us more flexibility in how we connect to and control resources.
An alternative method to install the stable version is using the salt-bootstrap script. This is available for download from the SaltStack website. This gives us more up-to-date versions of some of the Salt dependencies.
To get started, move to the home directory or somewhere else where we have the write permissions.
We can use curl to download the bootstrap script.
saltmaster$ cd ~
saltmaster$ curl -L https://bootstrap.saltstack.com -o install_salt.sh
It is a good idea to check the content of the script and confirm the actions that it will perform before actually running it.
Now, run the script. We will use the -P flag so that the script can use pip as a dependency source. Further, we also need to include the -M flag for the Salt master daemon to install.
saltmaster$ sudo sh install_salt.sh -P -M
Next, you need to configure the Salt master.
1. Create the Salt Directory Structures
First, we will create the configuration management directory structure where the Salt master will look for various files.
These are all under the /srv directory by default. We need /srv/salt and /srv/pillar to get started. Create them now by typing:
saltmaster$ sudo mkdir -p /srv/{salt,pillar}
ii. Modify the Salt Master Configuration
Next, we will adjust the Salt master configuration file. Open the file with an available text editor
The first thing we will do is set the file_roots dictionary. This basically specifies the locations where the Salt master will look for configuration management instructions.
The base specifies the default environment. Two of the directories we created earlier will be used for this purpose.
The /srv/salt will be used for administrator-created instructions, and the /srv/formulas will be set aside for pre-packaged configurations downloaded from external sources:
file_roots:
base:
- /srv/salt
- /srv/formulas
Salt uses YAML-style configuration files. These require strict attention to spacing and indentation for the daemon to correctly interpret the values.
Next, we will set up the root directory for our Salt pillar configuration.
pillar_roots:
base:
- /srv/pillar
Save and close the file once the changes are done.
iii. Modify the Salt Minion Configuration
To modify the configuration, open the Salt minion configuration “/etc/salt/minion” with an available text editor.
The only change we need to make is to specify the master that this minion should connect to.
In this case, the minion should connect to the master process running on the same machine. Set the master key equal to the local loopback address 127.0.0.1 in order for the minion to correctly connect:
master: 127.0.0.1
Save and close the file once finished.
iv. Restart the Processes
Now, we need to restart both the Salt master and minion daemons in order to use our new configurations:
$ sudo restart salt-master
$ sudo restart salt-minion
v. Accept the Minion Key
Following the reboot, the Salt minion daemon automatically contacts the Salt master with its credentials. As an administrator, we simply need to verify and accept the minion’s key to allow communication.
Start by listing all of the keys that the Salt master has knowledge of:
saltmaster$ sudo salt-key --list all
The saltmaster below should match the Salt minion ID of the system. This is typically the hostname of the server:
Accepted Keys:
Denied Keys:
Unaccepted Keys:
saltmaster
Rejected Keys:
As you can see, our Salt minion has sent its key to the master, but it has not been accepted yet. For security purposes, before accepting the key, we will run two commands.
We need to make sure the output of this (which tells us the fingerprint of the key the Salt minion generated):
saltmaster$ sudo salt-call key.finger --local
local:
24:c8:77:1d:ed:10:d7:b0:3e:bc:bc:ed:41:e1:5a:d1
Matches the fingerprint found here (the fingerprint of the key that the Salt master is being asked to accept). Substitute the minion ID here:
saltmaster$ sudo salt-key -f saltmaster
Unaccepted Keys:
saltmaster: 24:c8:77:1d:ed:10:d7:b0:3e:bc:bc:ed:41:e1:5a:d1
Once we verify that those values are the same, we can accept the key by typing:
saltmaster$ sudo salt-key -a saltmaster
After accepting the key, we can see that the key has been moved to the “Accepted Keys” section:
saltmaster$ sudo salt-key --list all
Accepted Keys:
saltmaster
Denied Keys:
Unaccepted Keys:
Rejected Keys:
Now, we can test that the Salt master and minion processes are communicating correctly by typing:
saltmaster$ sudo salt '*' test.ping
We should receive a message back indicating that the health check was successful:
saltmaster:
True
vi. Install a Separate Minion
Now that we have our Salt master server up and running smoothly, we can demonstrate how to bring a new server under Salt’s control as a minion.
Again, we have multiple ways of installing the necessary software, but we should match the method used for the master server.
This will ensure that we do not have a version mismatch between Salt master and minion.
Salt minions that are more up-to-date than their master server may exhibit unpredictable behavior.
When you are ready, log into the second server with the sudo user.
Install the Stable Master from the Official PPA
For the Salt master server installed from the SaltStack PPA, we can add the same PPA on the Ubuntu minion server:
saltminion$ sudo add-apt-repository ppa:saltstack/salt
This time, we only need to install the salt-minion executable. Update the local package index after adding the PPA and install the software by typing:
saltminion$ sudo apt-get update
saltminion$ sudo apt-get install salt-minion
vii. Install the Stable Version Using Salt-Bootstrap
For the stable version installed using salt-bootstrap, we can download the same script to the minion machine:
saltminion$ cd ~
saltminion$ curl -L https://bootstrap.saltstack.com -o install_salt.sh
We will call the script in almost the same way that we did on the Salt master. The only difference is that we leave out the -M flag since we do not need to install the master tools and daemons:
saltminion$ sudo sh install_salt.sh -P
Now that we have the minion installed, we can go ahead and configure it to communicate with the Salt master.
a. Get the Salt Master Public Key Fingerprint
Before we begin, we should grab the Salt master’s key fingerprint. We can add this to our minion configuration for increased security.
On the Salt master server, type:
saltmaster$ sudo salt-key -F master
The output should look something like this:
Local Keys:
master.pem: 12:db:25:3d:7f:00:a3:ed:20:55:94:ca:18:f8:67:97
master.pub: 7b:97:23:4b:a4:6d:16:31:2d:c9:e3:81:e2:d5:32:92
Accepted Keys:
saltmaster: 24:c8:77:1d:ed:10:d7:b0:3e:bc:bc:ed:41:e1:5a:d1
The value of the master.pub key, located under the “Local Keys” section is the fingerprint we are looking for. Copy this value to use in our Minion configuration.
Back on the new Salt minion, open the minion configuration “/etc/salt/minionfile” with an available text editor.
We need to specify the location where the Salt master can be found. This can either be a resolvable DNS domain name or an IP address:
master: ip_of_salt_master
Next, set the master_finger option to the fingerprint value we copied from the Salt master a moment ago:
master_finger: '7b:97:23:4b:a4:6d:16:31:2d:c9:e3:81:e2:d5:32:92'
Save and close the file once finished.
Now, restart the Salt minion daemon to implement the new configuration changes:
saltminion$ sudo restart salt-minion
The new minion should contact the Salt master service at the provided address. It will then send its key for the master to accept.
In order to securely verify the key, need to check the key fingerprint on the new minion server.
To do this, type:
saltminion$ sudo salt-call key.finger --local
We should see output that looks like this:
local:
32:2a:7c:9a:f2:0c:d1:db:84:df:d3:82:00:d5:8f:be
We will need to verify that the key fingerprint that the master server received matches this value.
Back on the Salt master server, we need to accept the key. First, verify that we have an unaccepted key waiting on the master:
saltmaster$ sudo salt-key --list all
We should see a new key in the “Unaccepted Keys” section that is associated with the new minion:
Check the fingerprint of the new key. Modify the highlighted portion below with the minion ID that we see in the “Unaccepted Keys” section:
saltmaster$ sudo salt-key -f saltminion
The output should look something like this:
Unaccepted Keys:
saltminion: 32:2a:7c:9a:f2:0c:d1:db:84:df:d3:82:00:d5:8f:be
If this matches the value we received from the minion when issuing the salt-call command, we can safely accept the key by typing:
saltmaster$ sudo salt-key -a saltminion
The key should now be added to the “Accepted Keys” section:
saltmaster$ sudo salt-key --list all
Accepted Keys:
saltmaster
saltminion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
Test that we can send commands to the new minion by typing:
saltmaster$ sudo salt '*' test.ping
We should receive back answers from both of the minion daemons we have configured:
saltminion:
True
saltmaster:
True
This article will give you a comprehensive guide on the steps to perform installation and configuration of Salt Master and Minion servers on Ubuntu which involves a series of steps that include installing the master daemon, initial master configuration, installing a separate minion, and configuring the Minion.